It is a new practice of email phishing attack (Phishing scam) which targets the owners of .ro domains, especially those whose domains are reserved and or hosted at ROMARG.
For several days, several owners of .ro domains have been receiving e-mails in which they are informed that the services for a domain registered through ROMARG is about to expire and the validity period must be renewed. Within 2 days.
In the text of the message received by e-mail is indicated a fake hyperlink which, if accessed, leads to a page where confidential data is requested making an online payment. Of course, these data are easy stolen by the attacker (if they are entered by the victim). The practice is called Phishing scam. Cybercrime.
Dear customer, we tried to renew your services, but the payment failed for the domain name domain name.ro registered with us.
TheROMARG Team.
Our billing system has detected that this service will expire in two days.
To reactivate it, simply access our website and use the renewal order.
Please follow the instructions in the link below:
ROMARG.RO/Renewal/l/Domain/numedomeniu.ro
Thank you for choosing ROMARG.
With "TheROMARG Team” written wrongly and in red they kind of gave it away, but out of hundreds of recipients there will be those who will fall into the net of this email phishing attack.
How to spot a fake hyperlink in a phishing email attack
This type of phishing messages that use fake links (hyperlinks) are the most deceptive and among the most used methods by attackers. Many users do not know how to do it the difference between the link displayed in the message and the real link who is behind him. That is, the one the user reaches when he clicks.
In the message above, if we move the mouse over the URL indicated by the attacker (on the hyperlink), without clicking, we notice that we are sent to a different web address than the one written in the message. https://firstoneshopping.be/….
Most of the time in this email phishing practice with a fake hyperlink, the attacker uses trusted names for the displayed web address. google, iCloud, Microsoft. In this case, it is presented in capital letters "ROMARG.RO/…".
It is an even more aggressive practice spoofed URL. When the address of the Internet domain on which the fraud is carried out is close in name to the legitimate address on which users have accounts.
A real link but of spoof web address would be like: https://romarg-ro.io/... Inadvertently, some users will be misled by "romarg-ro" in the URL name. Termination (TLD) .io indicates that the domain is registered in the British area of the Indian Ocean and is not subject to almost any legislation. So it's a breeding ground for online fraud.
To better understand how you can identify a fake hyperlink in a phishing message, look at an example:
– Hyperlinks: stealthsettings.com/awareness/
If you move your mouse over the hyperlink above, without clicking, you will notice at the bottom that a different web address appears than the one you see on the web page. The real address you will reach when you click. https://ihowto.tips.
So, a fake hyperlink can be placed in an e-mail message (for e-mail phishing attack), an e-mail signature, document Word, web page or wherever HTML code is accepted.
Atentia is the best "software" of protection against computer attacks of this type. Awareness.
